marcus/mcp-sonarqube-proxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
mcp-sonarqube-proxy/CHANGELOG.md
T
marcus d76c16d9a7 feat(auth): forward SONARQUBE_TOKEN to upstream as Bearer header 
The upstream MCP container requires a SonarQube user token in the
Authorization header. Without one, every call returns 401.

- proxy: read SONARQUBE_TOKEN via sonarqube_token() at session-open
  time; raise TokenMissingError when unset/blank. upstream_session()
  attaches the token as "Authorization: Bearer <token>" via
  streamablehttp_client(headers=...).
- cli: fail fast in serve and check with a clear stderr message and
  exit 1 when the token is missing, before any network attempt. All
  exception text written to stderr passes through _redact() so an
  accidentally-leaked token from a third-party exception is replaced
  with [REDACTED] before display.
- The token is never stored on any object, never logged, and the
  TokenMissingError message contains no token material (it only
  describes how to generate one in SonarQube).
- Tests: header forwarding via mocked streamablehttp_client, missing-
  token exit code, redaction in CLI error paths, whitespace stripping
  on the token. Total: 25 tests.
- Docs: README/CLAUDE updated with the new env-var, Claude Desktop
  config snippet, and the security guarantees. CHANGELOG added.

Bumps version to 0.2.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 20:42:51 +02:00

1.9 KiB
Raw Permalink Blame History

Changelog

All notable changes to this project are documented here. The format follows Keep a Changelog, and this project adheres to Semantic Versioning.

[0.2.0] — 2026-05-06

Added

  • SONARQUBE_TOKEN (required). The upstream MCP server expects a SonarQube user token in the Authorization header. The proxy now reads the token from the environment and forwards it as Bearer <token> on every connection.
  • TokenMissingError raised by proxy.sonarqube_token() when the variable is unset or blank.
  • Early fail-fast token check in serve and check — exits with code 1 and a clear stderr message pointing to My Account → Security in SonarQube.
  • Defensive token redaction: any stderr output that includes exception text has occurrences of the live token replaced with [REDACTED] before display.
  • Test coverage for header forwarding, missing-token exit, and token non-leakage in error paths.

Changed

  • upstream_session() now opens the streamable-HTTP client with the Authorization header attached.
  • README and CLAUDE.md updated with the new env-var, the Claude Desktop config snippet now includes SONARQUBE_TOKEN, and the security guarantees are documented.

[0.1.0] — 2026-05-06

Added

  • Initial transparent stdio MCP proxy implementation. Forwards tools/list and tools/call 1:1 to an upstream streamable-HTTP MCP server.
  • Schema preservation: Tool objects (inputSchema, outputSchema, annotations, title, _meta) and CallToolResult (isError, structuredContent, content blocks) are passed through unchanged.
  • Click-based CLI with serve (stdio) and check (probe-and-list) commands.
  • pytest suite (14 tests) covering env resolution, schema passthrough, forwarding, registration, end-to-end dispatch, and CLI error paths.
Reference in New Issue View Git Blame Copy Permalink